Outing of Chinese hacking unit failed to stop attacks

By Edd Gent

Published Thursday, November 7, 2013

The outing of a secretive Chinese military hacking unit has failed to halt cyber attacks from the country.

Cyber security company Mandiant released a report in February that identified the People's Liberation Army's Shanghai-based Unit 61398 as the most likely culprit in hacking attacks on a wide range of industries, though China's Defence Ministry denied the accusations.

But the US-China Economic and Security Commission, a panel which advises the US Congress on China policy, said Mandiant's revelations brought only a brief pause in cyber intrusions by that PLA unit.

"There are no indications the public exposure of Chinese cyber espionage in technical detail throughout 2013 has led China to change its attitude toward the use of cyber espionage to steal proprietary economic and trade information," the commission said in a draft of their annual report to Congress.

The draft report, made available to Reuters yesterday, said Mandiant's revelations "merely led Unit 61398 to make changes to its cyber 'tools and infrastructure' (to make) future intrusions harder to detect and attribute".

The commission's report, to be released in final form later this month, quoted Mandiant experts as saying the Chinese military hackers decreased their activities for about a month following the February publication of that report.

A Mandiant spokeswoman said that within a few weeks of the February report, the hacking levels from China had returned to about the same levels though the group was using some different tools.

"From what we can tell, they are still stealing the same type of data from the same industries," Mandiant spokeswoman Susan Helmick said. "The focus appears to be the same but the methods and malware, they had to shift."

A spokesman for the Chinese embassy in Washington yesterday repeated China's response to the initial Mandiant report.

"Cyber-attacks are transnational and anonymous," said spokesman Geng Shuang. "We don't know how the evidence is collected in this report."

Geng added: "China stands against cyber-attacks and has done what it can to combat such activities in accordance with Chinese laws and regulations."

The February Mandiant report said PLA Unit 61398 is located in Shanghai's Pudong district, China's financial and banking hub, and is staffed by perhaps thousands of people proficient in English as well as computer programming and network operations.

It said the unit had stolen hundreds of terabytes of data from at least 141 organisations across a diverse set of industries – mostly in the USA, with smaller numbers in Canada and Britain.

The information stolen ranged from details on mergers and acquisitions to the emails of senior employees, the company said.

A report in July issued by the Commission on the Theft of American Intellectual Property said theft of business and industrial secrets cost the US economy some $300bn (£190bn) a year and that China was responsible for most of it.

In June, President Barack Obama and his Chinese counterpart, Xi Jinping, agreed to launch a bilateral working group to discuss cyber security issues. The group has met twice since July.

The US-China Economic and Security Commission said it was told by experts that former US National Security Agency contractor Edward Snowden's revelations of NSA cyber-operations against targets in China and Hong Kong would set back efforts to address Chinese cyber-attacks by six months to a year.